SSL installation via certbot - jigneshpshah/greycube_helpmanual GitHub Wiki
[A] Remove certbot-auto and install certbot
sudo apt update
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Ref:https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx
$ bench config dns_multitenant on $ sudo service nginx stop (1)$ sudo certbot certonly --standalone It will ask questions..domain name.ex Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): abc.xyz.com it would give output..like below..note the certificate path generated and ensure same is in site_config.json /etc/letsencrypt/live/abc.xyz.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/abc.xyz.com/privkey.pem ensure same is in site_config.json (2)frappe@vmi494576:~/frappe-bench/sites/abc.xyz.com$ nano site_config.json "ssl_certificate":"/etc/letsencrypt/live/abc.xyz.com/fullchain.pem", "ssl_certificate_key":"/etc/letsencrypt/live/abc.xyz.com/privkey.pem" bench --site demo14.greycube.in set-config ssl_certificate `sslpath` bench --site demo14.greycube.in set-config ssl_certificate_key `keypath` (2.2) take backup of nginx /frappe-bench/config$ cp nginx.conf nginx.conf_mar_2 (3)~/frappe-bench$ bench setup nginx (4)/frappe-bench$ sudo service nginx start (5)~/frappe-bench$ sudo service nginx reload <-- **donot forget**
Ref:https://discuss.erpnext.com/t/certbot-auto-replaced-with-certbot/67692
to view certificate
certbot certificates ref: https://certbot.eff.org/docs/using.html#:~:text=You%20can%20use%20certonly%20or,Certbot%20updates%20the%20existing%20certificate.
[c] Auto renewal
Login as root or a user with superuser privileges
and run: date (you will get client's time zone like:CEST etc.)
then run crontab -e and enter:
Set time zone from: [Set time zone](https://www.worldtimebuddy.com/)
MAILTO="[email protected]" # run every first friday of month at 12:30 midnight 30 0 1-7 * 5 && sudo service nginx stop && sudo certbot renew --quiet && sudo service nginx start # renew letsencrypt certificates on 1st Monday of every month and get an email if it gets executed # 0 0 1-7 * * [ "$(date '+\%a')" = "Mon" ] && sudo service nginx stop && sudo certbot renew && sudo service nginx start # renew letsencrypt certificates on 1st Sunday of every month and get an email if it gets executed MAILTO="[email protected]" 30 1 1-7 * 7 sudo service nginx stop && sudo certbot renew && sudo service nginx start # renew letsencrypt certificates on 1st Friday of every month and get an email if it gets executed 30 1 1-7 * 5 sudo service nginx stop && sudo certbot renew && sudo service nginx start MAILTO="[email protected],[email protected]" # run at 2:30 early morning saudi arabia time(CEST) on 1st and 3rd friday of every month 30 1 1-7 * * [ $(date +\%u) = 5 ] && sudo service nginx stop && sudo certbot renew && sudo service nginx start 30 1 15-21 * * [ $(date +\%u) = 5 ] && sudo service nginx stop && sudo certbot renew && sudo service nginx start
[D] DELETE CERTIFICATE
certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem certbot delete --cert-name example.com OR `sudo certbot delete --cert-name example.com` once deleted need to run bench setup nginx
[E] Renew single CERTIFICATE
`sudo certbot renew --cert-name domain1.com
https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options
[F] some errors
https://codewithkarani.com/2022/08/03/unknown-log-format-main-nginx/
- create A record pointing to new.greycube.in
- create SSL for new.greycube.in
- update site_config.json with
"ssl_certificate":"/etc/letsencrypt/live/new.greycube.in/fullchain.pem",
"ssl_certificate_key":"/etc/letsencrypt/live/new.greycube.in/privkey.pem",
"host_name": "new.greycube.in"
- cd sites
- mv old.greycube.in new.greycube.in
- cd ..
- sudo certbot delete --cert-name old.greycube.in
- sudo service nginx stop
- bench setup nginx
- sudo service nginx start
[G] from IP to URL
It is IP based access
rename site to url
backup conf folder nginx and superviosr
B] Get certificate : frappe user
[c] Auto renewal
[H] failure like below even when nginx is stopped
Performing the following challenges:
http-01 challenge for nafess.etqantco.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel: R
Waiting for verification...
Challenge failed for domain nafess.etqantco.com
http-01 challenge for nafess.etqantco.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: nafess.etqantco.com
Type: unauthorized
Detail: 5.189.177.84: Invalid response from https://nafess.etqantco.com/.well-known/acme-challenge/GXqs8lxdLpAjSLiRLFXR8JmvzM-ZO5p9rpxDyc1hMOA: 404
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
sol note the URL is https and not http
sudo certbot certonly --standalone --debug-challenges -v